Detecting counterfeit electronic components using emi telemetric fingerprints

ABSTRACT

One embodiment of the present invention provides a system that non-intrusively detects counterfeit components in a target computer system. During operation, the system collects target electromagnetic interference (EMI) signals generated by the target computer system using one or more antennas positioned in close proximity to the target computer system. The system then generates a target EMI fingerprint for the target computer system from the target EMI signals. Next, the system compares the target EMI fingerprint against a reference EMI fingerprint to determine whether the target computer system contains a counterfeit component.

RELATED APPLICATIONS

This application is a continuation of, and hereby claims priority under35 U.S.C. §120 to, pending U.S. patent application Ser. No. 11/974,788,entitled “Detecting Counterfeit Electronic Components using EMITelemetric Fingerprints,” by inventors Kenny C. Gross, Ramakrishna C.Dhanekula, and Andrew J. Lewis, filed on 16 Oct. 2007 (atty. docket no.SUN08-0037).

BACKGROUND

1. Field of the Invention

Embodiments of the present invention generally relate to techniques fordetecting counterfeit components in electronic systems. Morespecifically, embodiments of the present invention relate to a methodand an apparatus that detects counterfeit electronic components bymonitoring and analyzing EMI emissions generated from an electronicsystem which contains the components.

2. Related Art

Counterfeiting of electronic components has become an increasing problemfor electronics and computer system manufacturers worldwide. One experton counterfeiting accurately summarizes the problem as follows:“counterfeit electronics have been reported in a wide range of products,including computers, telecommunications equipment, automobiles, avionicsand military systems. Counterfeit electronic products include everythingfrom very inexpensive capacitors and resistors to costlymicroprocessors. Unfortunately, this problem is growing rapidly and nosigns of abatement are in sight.” It has been estimated thatcounterfeiting of electronic components is costing the electronicsindustry $200 billion per year across the industry. One study estimatedthat as high as one in 10 information technology products iscounterfeit.

In practice, counterfeiters typically use packaging, labeling, and partnumbers that very closely match the authentic parts or systems todeceive purchasers. In fact, counterfeit parts often appear so real thatservice engineers cannot distinguish them from authentic parts by simplyvisually inspecting the parts. However, the counterfeit parts oftencontain scrap components from discarded systems, cheaply manufacturedcomponents, or older components from recycled vintage systems, which arerepackaged to resemble authentic systems. Such systems are thenintegrated into the supply chain via brokerage channels. When thecounterfeit parts or systems are shipped to customers, they often failon arrival or within a very short time period. Counterfeit parts thathave poor performance (e.g., systems with older versions of chips putinto newer server boxes) can cause additional customer dissatisfaction.Furthermore, for military, medical, and aviation electronics,counterfeit parts and systems can lead to life-threatening problems.

The most commonly used technique for mitigating counterfeiting in theelectronics and computing industry is to use technologies that make thelabeling of parts very difficult for counterfeiters to reproduce (e.g.,by using holographic labeling). However, the process of authenticatingsuch state-of-the-art labels often requires a system or component to bedisassembled. It also requires a person with a trained eye to examineinternal parts to make subjective judgments on how well the colors andpatterns in the labels match the authentic labels. Unfortunately, suchintrusive counterfeit detection techniques are extremelylabor-intensive, and are hence impractical for customs inspections.Furthermore, the detection techniques are prone to human errors becausecomplex systems need to be disassembled and reassembled.

Hence, what is needed is a method and an apparatus that facilitatesnon-intrusive detection of counterfeit components in electronic systemswithout the above-described issues.

SUMMARY

One embodiment of the present invention provides a system thatnon-intrusively detects counterfeit components in a target computersystem. During operation, the system collects target electromagneticinterference (EMI) signals generated by the target computer system usingone or more antennas positioned in close proximity to the targetcomputer system. The system then generates a target EMI fingerprint forthe target computer system from the target EMI signals. Next, the systemcompares the target EMI fingerprint against a reference EMI fingerprintto determine whether the target computer system contains a counterfeitcomponent.

In a variation on this embodiment, prior to collecting the target EMIsignals, the system generates the reference EMI fingerprint by:collecting reference EMI signals generated by a certified authenticreference computer system of the same type as the target computer systemand generating the reference EMI fingerprint for the certified authenticreference computer system from the collected reference EMI signals.

In a further variation on this embodiment, the reference EMI signals aregenerated by the certified authentic reference computer system duringexecution of a load script, wherein the load script includes a specifiedsequence of operations. Furthermore, the target EMI signals aregenerated by the target computer system during execution of the sameload script.

In a further variation, the system generates the reference EMIfingerprint by: transforming the reference EMI signals from atime-domain representation to a frequency-domain representation, whichis comprised of a plurality of discrete frequencies; for each of theplurality of discrete frequencies, constructing an amplitude-time seriesbased on the reference EMI signals collected over a predetermined timeperiod; selecting a subset of frequencies from the plurality of discretefrequencies based on the associated amplitude-time series; andgenerating the reference EMI fingerprint using the amplitude-time seriesassociated with the selected frequencies.

In a further variation, the system selects the subset of frequencies by:computing cross-correlations between pairs of amplitude-time seriesassociated with pairs of the plurality of frequencies; computing anaverage correlation coefficient for each of the plurality offrequencies; and selecting the subset of frequencies that are associatedwith the highest average correlation coefficients.

In a further variation, the system generates the target EMI fingerprintby: transforming the target EMI signals from a time-domainrepresentation to a frequency-domain representation and, for each of theselected frequencies in the reference EMI fingerprint, generating anamplitude-time series based on the frequency-domain representation ofthe target EMI signals collected over time.

In a variation on this embodiment, the system trains a non-linear,non-parametric regression model using the reference EMI fingerprint forthe certified authentic reference computer system.

In a further variation on this embodiment, the system compares thetarget EMI fingerprint against the reference EMI fingerprint as follows:for each of the selected frequencies, producing an estimatedamplitude-time series signal using the regression model, and comparing acorresponding amplitude-time series signal in the target EMI fingerprintwith the estimated amplitude-time series signal produced by theregression model; and determining from the comparison whether the targetEMI fingerprint matches the estimated signals produced by the regressionmodel.

In a further variation, the system determines whether the target EMIfingerprint matches the estimated signals by: computing a residualsignal between a corresponding pair of amplitude-time series; anddetecting anomalies in the residual signal by using sequential detectiontechniques.

In a variation on this embodiment, the one or more antennas arepositioned outside of the chassis of the target computer system.

In a variation on this embodiment, the one or more antennas arepositioned at a predetermined distance from and orientation to thechassis of the target computer system.

In a variation on this embodiment, the one or more antennas arepositioned inside a chassis for the target computer system.

In a variation on this embodiment, the one or more antennas arepositioned in the vicinity of a target component with the targetcomputer system.

In a variation on this embodiment, multiple antennas are positioned inthe vicinity of multiple target components within the target computersystem.

In a variation on this embodiment, the one or more antennas used tocollect the reference EMI signals are placed in substantially the samemanner with respect to the reference computer system as the one or moreantennas used to collect the reference EMI signals are placed withrespect to the target computer system.

In a variation on this embodiment, each antenna can be a wire.

In a further variation on this embodiment, the wire is a striped wire.

Another embodiment of the present invention provides a system thatnon-intrusively detects counterfeit components within a target computersystem. During operation, the system collects target electromagneticinterference (EMI) signals generated by a target component within thetarget computer system using one or more antennas positioned in closeproximity to the target component. The system then generates a targetEMI fingerprint for the target component from the target EMI signals.Next, the system compares the target EMI fingerprint against a referenceEMI fingerprint associated with the target component within a certifiedauthentic computer system of the same type as the target computersystem. The system then determines whether the target component withinthe target computer system is a counterfeit component based on thecomparison result.

In a variation on this embodiment, prior to collecting the target EMIsignals, the system generates the reference EMI fingerprint by:collecting reference EMI signals generated by the target componentwithin the certified authentic reference computer system using one ormore antennas positioned in close proximity to the target component; andgenerating the reference EMI fingerprint for the target component fromthe reference EMI signals.

BRIEF DESCRIPTION OF THE FIGURES

The patent or application file contains at least one drawing executed incolor. Copies of this patent or patent application publication withcolor drawings will be provided by the Office upon request and paymentof the necessary fee.

FIG. 1 illustrates a computer system in accordance with an embodiment ofthe present invention.

FIG. 2A illustrates a computer system and an associated EMI-basedcounterfeit detector in an external (global) detection configuration inaccordance with an embodiment of the present invention.

FIG. 2B illustrates a computer system and an associated EMI-basedcounterfeit detector in an internal (local) detection configuration inaccordance with an embodiment of the present invention.

FIG. 3 illustrates the detailed structure of an EMI signal analysismechanism in accordance with an embodiment of the present invention.

FIG. 4 presents a flowchart illustrating the process of detectingcounterfeit components in a target computer system based on EMIfingerprints in accordance with an embodiment of the present invention.

FIG. 5 presents a flowchart illustrating the process of generating areference EMI fingerprint from a certified authentic reference computersystem in accordance with an embodiment of the present invention.

FIG. 6 presents a flowchart illustrating the process of generating thereference EMI fingerprint from the collected reference EMI signals inaccordance with an embodiment of the present invention.

FIG. 7 presents a flowchart illustrating the process of selecting thesubset of frequencies based on the correlations between amplitude-timeseries in accordance with an embodiment of the present invention.

FIG. 8 illustrates a portion of a combined frequency-spectrum-timeseries produced from the reference EMI signals generated by a referencecomputer system while executing a load script in accordance with anembodiment of the present invention.

FIG. 9 presents a flowchart illustrating the process of generating atarget EMI fingerprint for the target computer system in accordance withan embodiment of the present invention.

FIG. 10 presents a flowchart illustrating the process of comparing thetarget EMI fingerprint against the reference EMI fingerprint todetermine whether the target computer system contains a counterfeitcomponent in accordance with an embodiment of the present invention.

FIG. 11A illustrates a portion of a combinedfrequency-spectrum-time-series corresponding to EMI signals generated bya disk drive from Company-A while executing random reads in accordancewith an embodiment of the present invention.

FIG. 11B illustrates a portion of a combined frequency-spectrum-timeseries corresponding to EMI signals generated by a disk drive fromCompany-B while executing random reads in accordance with an embodimentof the present invention.

FIG. 11C illustrates the process of comparing the 332 MHz signature inthe target EMI fingerprint of the disk drive from Company-B and in thereference EMI fingerprint of the disk drive from Company-A in accordancewith an embodiment of the present invention.

FIG. 11D illustrates the process of comparing the 332.6667 MHz signaturein the target EMI fingerprint of the disk drive from Company-B and inthe reference EMI fingerprint of the disk drive from Company-A inaccordance with an embodiment of the present invention.

DETAILED DESCRIPTION

The following description is presented to enable any person skilled inthe art to make and use the invention, and is provided in the context ofa particular application and its requirements. Various modifications tothe disclosed embodiments will be readily apparent to those skilled inthe art, and the general principles defined herein may be applied toother embodiments and applications without departing from the spirit andscope of the present invention. Thus, the present invention is notlimited to the embodiments shown, but is to be accorded the widest scopeconsistent with the claims.

Overview

Electromagnetic interference (EMI) signals are generated by computersystems or other electronic systems during operation. These EMI signalsare commonly regarded as noise, and electronic systems are oftenshielded to minimize the amount of EMI signals emitted by the electronicsystem. However, these EMI signals can also carry information that canbe used to generate unique fingerprints for system components. Oneembodiment of the present invention provides a technique thatnon-intrusively detects counterfeit components within a targetelectronic system by analyzing such EMI signals collected from theelectronic system.

Although we describe the present invention in the context of a specificcomputer system below, the general principles and techniques of thepresent invention can be applied to any electronic system that comprisesat least one electronic component.

In one embodiment of the present invention, EMI time-series signalsgenerated by an authentic reference computer system (“reference computersystem” hereafter) are collected using an EMI sensor positioned in closeproximity to the reference computer system. One embodiment of thepresent invention then produces from the collected EMI time-seriessignals a reference EMI fingerprint that is unique and identical for allcomputer systems of the same type, which contain the same set ofauthentic components as the reference computer system. In oneembodiment, the EMI time-series signals are generated and collected whenthe reference computer system is executing a given sequence of code.

In one embodiment of the present invention, EMI time-series signalsgenerated by a target computer system of the same type as the referencecomputer system are collected using an EMI sensor positioned in closeproximity to the target computer system. One embodiment of the presentinvention then produces from the collected EMI time-series signals anEMI fingerprint that is characteristic of the target computer system. Inone embodiment, the EMI time-series signals are generated and collectedwhen the target computer system is executing the same sequence of codeused to generate the reference EMI fingerprint.

One embodiment of the present invention compares the EMI fingerprint ofthe target computer system with the reference EMI fingerprint associatedwith the reference computer system. In one embodiment of the presentinvention, this comparison involves using an advancedpattern-recognition technique. The comparison results are used todetermine whether counterfeit components are present in the targetcomputer system.

In one embodiment of the present invention, the EMI sensor is an antennathat can be placed either inside or outside the chassis of the targetcomputer system. In one embodiment of the present invention, the antennais a piece of stripped wire of a predetermined length.

Computer System

FIG. 1 illustrates a computer system 100 in accordance with anembodiment of the present invention. As illustrated in FIG. 1, computersystem 100 includes processor 102, which is coupled to a memory 112 andto peripheral bus 110 through bridge 106. Bridge 106 can generallyinclude any type of circuitry for coupling components of computer system100 together.

Processor 102 can include any type of processor, including, but notlimited to, a microprocessor, a mainframe computer, a digital signalprocessor, a personal organizer, a device controller and a computationalengine within an appliance, and any other processor now known or laterdeveloped. Furthermore, processor 102 can include one or more cores.Processor 102 includes a cache 104 that stores code and data forexecution by processor 102.

Although FIG. 1 illustrates computer system 100 with one processor,computer system 100 can include more than one processor. In amulti-processor configuration, the processors can be located on a singlesystem board, or on multiple system boards.

Processor 102 communicates with storage device 108 through bridge 106and peripheral bus 110. Storage device 108 can include any type ofnon-volatile storage device that can be coupled to a computer system.This includes, but is not limited to, magnetic, optical, andmagneto-optical storage devices, as well as storage devices based onflash memory and/or battery-backed up memory.

Processor 102 communicates with memory 112 through bridge 106. Memory112 can include any type of memory that can store code and data forexecution by processor 102. This includes, but is not limited to,dynamic random access memory (DRAM), static random access memory (SRAM),flash memory, read only memory (ROM), and any other type of memory nowknown or later developed.

Note that although the present invention is described in the context ofcomputer system 100 as illustrated in FIG. 1, the present invention cangenerally operate on any type of computing device. Hence, the presentinvention is not limited to the specific implementation of computersystem 100 as illustrated in FIG. 1.

Note that during operation, computer system 100 generates EMI signalswhen the system is powered up.

Dynamic Counterfeit Detection Using EMI Telemetric Signals

In one embodiment of the present invention, prior to performing acounterfeit detection, EMI time-series signals generated by a certified,authentic reference computer system (“reference computer system”hereafter) are collected. In one embodiment, the EMI signals arecollected while the reference computer system is running a particularload script. One embodiment of the present invention then generates areference EMI fingerprint from the EMI signals, wherein the referenceEMI fingerprint is unique for a computer system of the same type as thereference computer system which contains only certified authenticcomponents. Next, the counterfeit detection is performed on a targetcomputer system of the same type as the reference computer system,wherein the target computer system may contain one or more counterfeitcomponents. Note that both the “training” process on the referencecomputer system and the detection process on the target computer systemrequire monitoring and collecting of associated EMI time-series signals.Hence, although the EMI signal detection techniques described below arein the context of the target computer system, they are also applicableto EMI signal sensing on the reference computer system.

External (Global) EMI Signal Detection Configuration

FIG. 2A illustrates computer system 100 and an associated EMI-basedcounterfeit detector 202 in an external (global) detection configurationin accordance with an embodiment of the present invention. Specifically,EMI-based counterfeit detector 202 further includes an EMI signal sensor204 and an EMI signal analysis mechanism 206. In particular, EMI signalsensor 204 is an antenna 204, which is coupled to EMI signal analysismechanism 206.

Note that the counterfeit detection is performed after computer system100 is powered up. When powered up, computer system 100 generates EMIsignals 208 from a plurality of electronic components, which include,but are not limited to: a central processing unit (CPU), a graphicsprocessing unit (GPU), a hard disk drive (HDD), and memory chips.Antenna 204 is configured to sense EMI signals 208 and couple thesignals to EMI signal analysis mechanism 206. EMI signal analysismechanism 206 analyses EMI signals 208 to determine if one or morecomponents within computer system 100 are counterfeit components. In oneembodiment of the present invention, the EMI signal analysis involvescomparing the collected EMI signals with a reference EMI fingerprintassociated with the reference computer system. EMI signal analysismechanism 206 is described in more detail below.

Note that antenna 204 in FIG. 2A is positioned outside chassis 210 ofcomputer system 100, i.e., in an external detection configuration. Morespecifically, antenna 204 can be positioned either in close proximity tocomputer system 100, or further away from computer system 100. Toachieve better sensitivity in antenna 204 and hence highersignal-to-noise ratio (SNR) in counterfeit detector 202, a smallerdistance between computer system 100 and antenna 204 is preferred. Inaddition to distance, the sensitivity of antenna 204 can also beaffected by its orientation with respect to computer system 100. Alsonote that antenna 204 can be positioned in close proximity (butexternally) to a specific component within computer system 100 that isdeemed to be prone to counterfeiting (e.g., due to the value of thespecific component or to a known history of high counterfeiting rates).

In one embodiment of the present invention, antenna 204 is positioned ata predetermined distance and orientation with respect to computer system100. Furthermore, the same distance and orientation are used to detectthe reference EMI signals from the reference computer system prior toperforming the external detection. The consistency of antenna placementwith respect to the systems being monitored can increase the ability ofthe technique to discriminate between the reference EMI signals and EMIsignals 208.

Using the illustrated external detection configuration, EMI emissionsfrom a collection of components within computer system 100 are collectedby antenna 204. In one embodiment, this external detection configurationcan be used to generate a complex EMI fingerprint for the entire system.

Internal (Local) EMI Detection Configuration

FIG. 2B illustrates computer system 100 and an associated EMI-basedcounterfeit detector 212 in an internal (local) detection configurationin accordance with an embodiment of the present invention. In oneembodiment, counterfeit detector 212 further includes an antenna 214coupled to an EMI signal analysis mechanism 216.

Note that antenna 214 in FIG. 2B is positioned inside chassis 218 ofcomputer system 100 in an internal detection configuration. For example,antenna 214 can be positioned inside chassis 218 through an opening onchassis 218. In one embodiment of the present invention, antenna 214 canbe placed at a fixed position within a specified distance of a targetcomponent within computer system 100. For example, in FIG. 2B antenna214 is placed at a specific location in the vicinity of a CPU 220. Inthis configuration, antenna 214 can be used to pick up EMI signals 222generated by CPU 220 with a high SNR. Note that, in addition to thedistance, the sensitivity of antenna 214 can also be affected by itsorientation with respect to CPU 220.

In another embodiment of the present invention, antenna 214 is manuallymoved to multiple fixed positions inside computer system 100. In thisembodiment, antenna 214 can be used to sequentially collect EMIemissions from multiple potential counterfeit components inside system100 to achieve high SNRs.

In a further embodiment of the present invention, multiple antennas (notshown) can be simultaneously placed at multiple fixed positions insidecomputer system 100. In this embodiment, the system can simultaneouslycollect multiple high-SNR EMI signals from multiple potentiallycounterfeit components. For example, one antenna can be located within aspecified distance of each of the CPUs in a multi-processor system. Inthis embodiment, EMI signal analysis mechanism 216 receives multiplechannels of EMI signals sensed by the multiple antennas.

Note that both the external detection technique of FIG. 2A and internaldetection technique of FIG. 2B can detect either a single counterfeitcomponent in the system or a completely counterfeit system (i.e.,wherein most or all the components have been counterfeited). Comparedwith internal detection, external detection is non-intrusive and easierto implement. However, external detection may not provide a sufficientlyhigh SNR to discriminate a single counterfeit component inside thesystem that does not perturb the global EMI fingerprint significantly.In contrast, internal detection may be more difficult to implement andcan require a more complex signal analyzing mechanism (for multiple EMIsignals from multiple antennas). However, the internal detection canachieve better SNR performance for discriminating a singlecounterfeiting component.

Note that the placement of an antenna in relation to a computer systemis not meant to be limited to the particular configurations illustratedin FIGS. 2A and 2B.

Antenna

In one embodiment of the present invention, antenna 204 or antenna 214can include: a dipole antenna, a Yagi-Uda antenna, a loop antenna, anelectrical short antenna (e.g., an open-ended wire having a length lessthan a quarter wavelength), a fractal antenna, a parabolic antenna, amicrostrip antenna, a quad antenna, a random wire antenna (e.g., anopen-ended wire having a length greater than one wavelength), a beverageantenna, a helical antenna, a phased array antenna, and any other typeof antenna now known or later developed.

In one embodiment of the present invention, antenna 204 or antenna 214is an insulated wire with a fixed length of the insulation stripped off.In this embodiment, the stripped end of the insulated wire is open tofree space and the other end of the wire is coupled to the associatedreceiving mechanism. In one embodiment of the present invention, thestripped length is approximately ½ inch. In another embodiment of thepresent invention, the length of the antenna can be selected to achieveoptimal discrimination sensitivity and robustness. Note that while manytypes of antennas can be used to collect the EMI signals, stripped wireprovides a simple and inexpensive option.

EMI Signal Analysis Mechanism

FIG. 3 illustrates the detailed structure of an EMI signal analysismechanism 206 (or 216) in accordance with an embodiment of the presentinvention. EMI signal analysis mechanism 206 (or 216) includes: anexecution mechanism 302, a receiving mechanism 304, afingerprint-generation mechanism 306, and a fingerprint-comparisonmechanism 308. Note that FIG. 3 should be viewed in the context of FIGS.2A and 2B.

In one embodiment of the present invention, execution mechanism 302causes load script 310 to be executed by computer system 100. Forexample, execution mechanism 302 can transmit load script 310 and acommand to execute load script 310 across a wired or wireless network tocomputer system 100. In another embodiment of the present invention,execution mechanism 302 is embedded in computer system 100 and islocated outside of EMI signal analysis mechanism 206 (or 216). In thisembodiment, load script 310 is preloaded onto computer system 100 andexecution mechanism 302 is configured to execute load script 310 duringa counterfeit-detection process. In yet another embodiment, executionmechanism 302, which is associated with EMI signal analysis mechanism206 (or 216), can cause execution of load script 310 which is stored oncomputer system 100.

In one embodiment of the present invention, load script 310 can include:a sequence of operations that produces a load profile that oscillatesbetween specified CPU utilization percentages; and/or a sequence ofoperations that produces a customized load profile. Note that acustomized load profile can be used to produce a unique fingerprintwhich is difficult to spoof.

In one embodiment of the present invention, during the execution of loadscript 310, computer system 100 generates EMI signals 312 which arecollected by antenna 314, which is placed either inside or in thevicinity of computer system 100. In one embodiment of the presentinvention, antenna 314 is coupled to a receiving mechanism 304, whichreceives EMI signals 312 collected by antenna 314. In one embodiment ofthe present invention, the EMI signals are amplified by receivingmechanism 304.

In one embodiment of the present invention, receiving mechanism 304 iscoupled to fingerprint-generation mechanism 306. Fingerprint-generationmechanism 306 generates an EMI fingerprint for computer system 100 fromEMI signals 312. This process is described in more detail below. In oneembodiment of the present invention, fingerprint-comparison mechanism308 compares the

EMI fingerprint from fingerprint-generation mechanism 306 to a referenceEMI fingerprint to determine whether computer system 100 contains one ormore counterfeit components. In one embodiment, the reference EMIfingerprint is generated from a certified authentic reference computersystem while executing the same load script. We describe the process ofgenerating the reference EMI fingerprint in more detail below inconjunction with FIG. 5.

Although we describe EMI signals 312 as being generated by computersystem 100 while executing a predetermined load script, EMI signals 312can also be generated during other execution states of computer system100. In one embodiment of the present invention, EMI signals 312 aregenerated while computer system 100 is idling. Note that the EMIfingerprint associated with execution of a dynamic load script typicallypossesses a richer feature content which helps to increasediscrimination capabilities.

FIG. 4 presents a flowchart illustrating the process of detectingcounterfeit components in a target computer system based on EMIfingerprints in accordance with an embodiment of the present invention.During operation, the system executes a load script on a target computersystem, wherein the load script includes a specified sequence ofoperations (step 402). In one embodiment of the present invention, theload script is a dynamic load script which changes the load on the CPUas a function of time. Next, the system collects target EMI signalsgenerated by the target computer system while executing the load script(step 404). In one embodiment of the present invention, the systemcollects the EMI signals using one or more antennas positioned in closeproximity to the target computer system. In one embodiment of thepresent invention, EMI signals are time-series signals.

The system then generates a target EMI fingerprint for the targetcomputer system from the target EMI signals (step 406). We describe thisstep in more detail below. Next, the system compares the target EMIfingerprint against a reference EMI fingerprint to determine whether thetarget computer system contains one or more counterfeit components (step408). We describe the details of comparing the two EMI fingerprintsbelow in conjunction with FIG. 10.

Note that the reference EMI fingerprint is associated with an authenticreference computer system of the same type as the target computersystem. We describe the process of generating the reference EMIfingerprint below in conjunction with FIG. 9. Note that the process ofgenerating the target EMI fingerprint shares many of the same steps forgenerating the reference EMI fingerprint.

Generating the Reference EMI Fingerprint

FIG. 5 presents a flowchart illustrating the process of generating areference EMI fingerprint from a certified authentic reference computersystem in accordance with an embodiment of the present invention.

During operation, the system starts by identifying a certified authenticreference computer system (“reference computer system” hereafter) of thesame type as the target computer system (step 502). In one embodiment ofthe present invention, this reference computer system contains onlycertified authentic components.

Next, the system executes a load script on the reference computer system(step 504). In one embodiment of the present invention, the load scriptexecuted by the reference computer system is the same load script whichis executed on the target computer system during the counterfeitdetection process of FIG. 4. In other words, the same load script isused for generating both the reference EMI fingerprint and the targetEMI fingerprint. In one embodiment, the load script is a dynamic loadscript which changes load with time.

The system then collects reference EMI signals generated by thereference computer system while executing the load script (step 506). Inone embodiment of the present invention, the system collects thereference EMI signals using one or more antennas positioned in closeproximity to the reference computer system. In a further embodiment ofthe present invention, the system collects the reference EMI signalsusing one or more antennas placed inside of the reference computersystem. In one embodiment of the present invention, the receivedreference EMI signals are time-series signals. Next, the systemgenerates the reference EMI fingerprint from the received reference EMIsignals (step 508).

FIG. 6 presents a flowchart illustrating the process of generating thereference EMI fingerprint from the collected reference EMI signals inaccordance with an embodiment of the present invention.

During operation, the system starts by transforming the reference EMItime-series signals from the time domain to the frequency domain (step602). In one embodiment of the present invention, transforming the EMItime-series signals from the time domain to the frequency domaininvolves using a fast Fourier transform (FFT). In other embodiments,other transform functions can be used, including, but not limited to, aLaplace transform, a discrete Fourier transform, a Z-transform, and anyother transform technique now known or later developed.

The system then divides the frequency range associated with thefrequency-domain representation of the reference EMI signals into aplurality of “bins,” and represents each discrete bin with arepresentative frequency value (step 604). In one embodiment, thesefrequency bins and the associated frequency values are equally spaced.

Next, for each of the plurality of representative frequencies, thesystem constructs an amplitude-time series based on the reference EMIsignals collected over a predetermined time period (step 606). In oneembodiment, to generate the time-series for each frequency, thereference EMI signals are collected at predetermined time intervals, forexample once every second. The newly collected EMI signals are thentransformed into the frequency domain, and an amplitude-time pair issubsequently extracted for each of the representative frequencies. Next,new reference EMI signals are collected over the next time interval toextract the next amplitude-time pair. In this way, the system generatesa large number of amplitude-time series for the plurality offrequencies.

Next, the system selects a subset of frequencies from the plurality ofrepresentative frequencies based on the associated amplitude-time series(step 608). Specifically, FIG. 7 presents a flowchart illustrating theprocess of selecting the subset of frequencies based on the correlationsbetween amplitude-time series in accordance with an embodiment of thepresent invention.

During operation, the system computes cross-correlations between pairsof amplitude-time series associated with pairs of the representativefrequencies (step 702). Next, the system computes an average correlationcoefficient for each of the plurality of representative frequencies(step 704). The system then ranks and selects a subset of Nrepresentative frequency values that are associated with the highestaverage correlation coefficients (step 706). Note that theamplitude-time series associated with these N frequency values are themost highly correlated with other amplitude-time series. In oneembodiment of the present invention, N is typically less than or equalto 20. We refer to these selected frequencies as “signaturefrequencies.”

Referring back to FIG. 6, when the signature frequencies are selected,the system generates the reference EMI fingerprint using theamplitude-time series associated with the signature frequencies (step610).

FIG. 8 illustrates a portion of a combined frequency-spectrum-timeseries produced from the reference EMI signals generated by a referencecomputer system while executing a load script in accordance with anembodiment of the present invention. Specifically, thefrequency-spectrum-time series illustrated in FIG. 8 was observed duringexecution of a load named “BUSTEST.” Note that for any discretefrequency bin, the time observations (along the time axis) trace out atime series signature. Correlation patterns can be clearly observedbetween different frequency-time series. Hence, the reference EMIfingerprint can be extracted from these correlation patterns.

Note that although the above description associated with FIGS. 4-7 isbased on a process in which both the reference computer system and thetarget computer system generate the EMI signals while executing aspecific load script, other embodiments of the present invention do notrequire execution of such a load script. For example, both the targetEMI signals and the reference EMI signals can be collected when thetarget computer system and the reference computer system are idle (butpowered up), or when each is running different programs.

In one embodiment of the present invention, the selected N time-series(i.e., the reference EMI fingerprint) are used to train a non-linear,non-parametric (NLNP) regression model. In one embodiment of the presentinvention, the NLNP regression module is generated using a multivariatestate estimation technique (MSET). The term “MSET” as used in thisspecification refers to a class of pattern recognition algorithms. Forexample, see “Use of Kernel Based Techniques for Sensor Validation inNuclear Power Plants,” by Andrei V. Gribok, J. Wesley Hines, and RobertE. Uhrig, The Third American Nuclear Society International TopicalMeeting on Nuclear Plant Instrumentation and Control and Human-MachineInterface Technologies, Washington D.C., Nov. 13-17, 2000 (Gribokhereafter). This paper outlines several different pattern recognitionapproaches. Hence, the term “MSET” as used in this specification canrefer to (among other things) any technique outlined in Gribok,including Ordinary Least Squares (OLS), Support Vector Machines (SVM),Artificial Neural Networks (ANNs), MSET, or Regularized MSET (RMSET).

Because the NLNP regression module is trained based on the certifiedauthentic computer system, the NLNP regression module can besubsequently used in a comparison against a target EMI fingerprintgenerated from the target computer system.

Generating the Target EMI Fingerprint

FIG. 9 presents a flowchart illustrating the process of generating atarget EMI fingerprint for the target computer system in accordance withan embodiment of the present invention.

Note that the target EMI fingerprint for the target computer system canbe generated from the target EMI signals in a similar manner togenerating the reference EMI fingerprint. Specifically, the system cantransform the target EMI time-series signals from the time domain to thefrequency domain, for example by using an FFT technique (step 902).Next, for each of the signature frequencies comprising the reference EMIfingerprint, the system generates an amplitude-time series in the samemanner as construction of the amplitude-time series in conjunction withstep 604 (step 904). The system then generates the target EMIfingerprint using the generated amplitude-time series (step 906). In oneembodiment of the present invention, the target EMI fingerprintcomprises all the signature frequencies as the reference EMIfingerprint. In a further embodiment, the target EMI fingerprintcomprises a subset of the signature frequencies in the reference EMIfingerprint.

Comparing the Reference and Target EMI Fingerprints

FIG. 10 presents a flowchart illustrating the process of comparing thetarget EMI fingerprint against the reference EMI fingerprint todetermine whether the target computer system contains a counterfeitcomponent in accordance with an embodiment of the present invention.

During operation, the system produces an estimated amplitude-time seriessignal for each of the N signature frequencies using an NLNP regressionmodel trained with the reference EMI fingerprint (step 1002). In oneembodiment of the present invention, the NLNP regression model is anMSET model. In this embodiment, the MSET model is generated byperforming an analytical estimation based on the correlation between thereference EMI fingerprint and the target EMI time-series at eachcorresponding selected frequency.

Next, for one or more of the N signature frequencies, the systemcompares a corresponding amplitude-time series signal in the target EMIfingerprint with the estimated amplitude-time series signal produced bythe regression model (step 1004). In one embodiment of the presentinvention, comparing the time series involves first computing a residualsignal between a corresponding pair of amplitude-time series, and thendetecting anomalies in the residual signal using sequential detectiontechniques. In one embodiment of the present invention, the sequentialdetection techniques include the Sequential Probability Ratio Test(SPRT). Note that the system can determine if the two signals matchbased on the SPRT alarm rate. The system then determines based on thecomparison results whether the target EMI fingerprint matches theestimated signals produced by the regression model (step 1006). In oneembodiment of the present invention, the system determines that thetarget computer system contains one or more counterfeit components ifthe target EMI signals and the reference EMI signals do not match at oneor more of the signature frequencies.

Note that the comparison process described in conjunction with FIG. 10can be performed both in real-time or offline. In an offline scenario,the target EMI signals are first collected but comparison operations areperformed offline.

EXAMPLES

FIGS. 11A-11D illustrate an exemplary application that uses EMIfingerprints to detect counterfeit hard disk drives (HDDs) in accordancewith an embodiment of the present invention. In order to “simulate” acounterfeit component, we selected two interchangeable HDDs havingidentical specifications, but different internal circuitry. The HDDsmanufactured by Company A are treated as the authentic reference HDDs,whereas the mechanically interchangeable “simulated counterfeit” HDDsare manufactured by Company B.

FIG. 11A illustrates a portion of a combinedfrequency-spectrum-time-series corresponding to EMI signals generated bya disk drive from Company-A while executing random reads in accordancewith an embodiment of the present invention. Similarly, FIG. 11Billustrates a portion of a combined frequency-spectrum-time seriescorresponding to EMI signals generated by a disk drive from Company-Bwhile executing random reads in accordance with an embodiment of thepresent invention.

In the above-described fingerprint generation process, the reference andtarget EMI fingerprints can be generated from these plots wherein eachfingerprint comprises a set of signature frequency components for thesubsequent comparison.

FIG. 11C illustrates the process of comparing the 332 MHz signature inthe target EMI fingerprint of the disk drive from Company-B and in thereference EMI fingerprint of the disk drive from Company-A in accordancewith an embodiment of the present invention. More specifically, subplot1002 illustrates two time series data: an estimated time-series signal1004 which is generated from the reference EMI fingerprint using theMSET technique described in conjunction with FIG. 10, step 1002; and amonitored time-series signal 1006 representing the target EMIfingerprint. Subplot 1008 illustrates a residual signal 1010 betweenestimated signal 1004 and monitored signal 1006. A SequentialProbability Ratio Test (SPRT) is then applied to residual signal 1010.Subplot 1012 illustrates the SPRT alarms based on residual signal 1010.Note that the large number of SPRT alarms in the bottom subplotindicates the two signals are not identical with a confidence factor of99.9%. Consequently, the EMI signature at 332 MHz can be used to detectthe “counterfeit module” with a very high confidence level.

FIG. 11D illustrates the process of comparing the 332.6667 MHz signaturein the target EMI fingerprint of the disk drive from Company-B and inthe reference EMI fingerprint of the disk drive from Company-A inaccordance with an embodiment of the present invention. Note that theSPRT alarm behavior is substantially the same as in FIG. 11C.

CONCLUSION

Embodiments of the present invention use distinctive EMI fingerprints asa non-intrusive means of detecting the presence of counterfeitcomponents inside computer systems or other electronic systems that mayinclude different types of internal integrated circuit boards, logicchips, memory chips, flash PROMs, etc. Note that the present inventionmay not work if the “counterfeit parts” and the authentic parts reallyare identical (e.g., if some systems are stolen and then the stolengoods are re-sold as authentic systems). Although stolen goods are aproblem, a much bigger problem in the electronics industry is thecounterfeiting of parts, wherein the internal integrated circuitry isdifferent and (most likely) inferior to the authentic parts in terms ofperformance, quality, safety, and lifetime.

The foregoing descriptions of embodiments of the present invention havebeen presented only for purposes of illustration and description. Theyare not intended to be exhaustive or to limit the present invention tothe forms disclosed. Accordingly, many modifications and variations willbe apparent to practitioners skilled in the art. Additionally, the abovedisclosure is not intended to limit the present invention. The scope ofthe present invention is defined by the appended claims.

1. A method for non-intrusively detecting counterfeit components in a target computer system, the method comprising: collecting target electromagnetic interference (EMI) signals generated by the target computer system using one or more antennas positioned in close proximity to the target computer system; generating a target EMI fingerprint for the target computer system from the target EMI signals; and comparing the target EMI fingerprint against a reference EMI fingerprint to determine whether the target computer system contains a counterfeit component.
 2. The method of claim 1, wherein prior to collecting the target EMI signals, the method further comprises generating the reference EMI fingerprint by: collecting reference EMI signals generated by a certified authentic reference computer system of the same type as the target computer system using one or more antennas positioned in close proximity to the certified authentic reference computer system; and generating the reference EMI fingerprint for the certified authentic reference computer system from the reference EMI signals.
 3. The method of claim 2, wherein the reference EMI signals are generated by the certified authentic reference computer system during execution of a load script, wherein the load script includes a specified sequence of operations; and wherein the target EMI signals are generated by the target computer system during execution of the same load script.
 4. The method of claim 3, wherein generating the reference EMI fingerprint involves: transforming the reference EMI signals from a time-domain representation to a frequency-domain representation, which is comprised of a plurality of discrete frequencies; for each of the plurality of discrete frequencies, constructing an amplitude-time series based on the reference EMI signals collected over a predetermined time period; selecting a subset of frequencies from the plurality of discrete frequencies based on the associated amplitude-time series; and generating the reference EMI fingerprint using the amplitude-time series associated with the selected frequencies.
 5. The method of claim 4, wherein selecting the subset of frequencies involves: computing cross-correlations between pairs of amplitude-time series associated with pairs of the plurality of frequencies; computing an average correlation coefficient for each of the plurality of frequencies; and selecting the subset of frequencies that are associated with the highest average correlation coefficients.
 6. The method of claim 4, wherein generating the target EMI fingerprint involves: transforming the target EMI signals from a time-domain representation to a frequency-domain representation; and for each of the selected frequencies in the reference EMI fingerprint, generating an amplitude-time series based on the frequency-domain representation of the target EMI signals collected over time.
 7. The method of claim 1, wherein the method further comprises training a non-linear, non-parametric regression model using the reference EMI fingerprint for the certified authentic reference computer system.
 8. The method of claim 7, wherein comparing the target EMI fingerprint against the reference EMI fingerprint involves: for each of the selected frequencies, producing an estimated amplitude-time series signal using the regression model; and comparing a corresponding amplitude-time series signal in the target EMI fingerprint with the estimated amplitude-time series signal produced by the regression model; and determining from the comparison whether the target EMI fingerprint matches the estimated signals produced by the regression model.
 9. The method of claim 8, wherein determining whether the target EMI fingerprint matches the estimated signals involves: computing a residual signal between a corresponding pair of amplitude-time series; and detecting anomalies in the residual signal by using sequential detection techniques.
 10. The method of claim 1, wherein the one or more antennas are positioned outside of the chassis of the target computer system.
 11. The method of claim 1, wherein the one or more antennas are positioned at a predetermined distance from and orientation to the chassis of the target computer system.
 12. The method of claim 1, wherein the one or more antennas are positioned inside the chassis of the target computer system.
 13. The method of claim 1, wherein the one or more antennas are positioned in the vicinity of a target component with the target computer system.
 14. The method of claim 1, wherein multiple antennas are positioned in the vicinity of multiple target components within the target computer system.
 15. The method of claim 2, wherein the one or more antennas used to collect the reference EMI signals are placed in substantially the same manner with respect to the reference computer system as the one or more antennas used to collect the reference EMI signals are placed with respect to the target computer system.
 16. The method of claim 1, wherein each antenna can be a wire.
 17. The method of claim 15, wherein the wire is a striped wire.
 18. An apparatus that non-intrusively detects counterfeit components in a target computer system, comprising: one or more antennas; a collecting mechanism coupled to the one or more antennas, wherein the collecting mechanism is configured to collect target electromagnetic interference (EMI) signals generated by the target computer system using the one or more antennas positioned in close proximity to the target computer system; a generating mechanism configured to generate a target EMI fingerprint for the target computer system from the target EMI signals; and a comparison mechanism configured to compare the target EMI fingerprint against a reference EMI fingerprint to determine whether the target computer system contains a counterfeit component.
 19. The apparatus of claim 18, wherein the collecting mechanism is further configured to collect reference EMI signals generated by a certified authentic reference computer system of the same type as the target computer system using one or more antennas positioned in close proximity to the certified authentic reference computer system; and wherein the generating mechanism is further configured to generate the reference EMI fingerprint for the certified authentic reference computer system from the reference EMI signals.
 20. The apparatus of claim 18, wherein the one or more antennas are positioned outside of the chassis of the target computer system.
 21. The apparatus of claim 18, wherein the one or more antennas are positioned inside the chassis of the target computer system.
 22. The apparatus of claim 18, wherein the one or more antennas are positioned in the vicinity of a target component within the target computer system.
 23. The apparatus of claim 18, wherein each antenna can be a wire.
 24. A method for non-intrusively detecting counterfeit components in a target computer system, the method comprising: collecting target electromagnetic interference (EMI) signals generated by a target component within the target computer system using one or more antennas positioned in close proximity to the target component; generating a target EMI fingerprint for the target component from the target EMI signals; and comparing the target EMI fingerprint against a reference EMI fingerprint associated with the target component within a certified authentic computer system of the same type as the target computer system; and determining whether the target component within the target computer system is a counterfeit component based on the comparison result.
 25. The method of claim 24, wherein prior to collecting the target EMI signals, the method further comprises generating the reference EMI fingerprint by: collecting reference EMI signals generated by the target component within the certified authentic reference computer system using one or more antennas positioned in close proximity to the target component; and generating the reference EMI fingerprint for the target component from the reference EMI signals. 